Overview

overview

10

Static

static

Patch.exe

windows7_x64

6

Patch.exe

windows10_x64

7

Patch.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    706s
  • max time network
    714s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    20-03-2022 14:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Patch.exe

  • Size

    21.3MB

  • MD5

    f705ac4adf35e2b348c3e200760fcf61

  • SHA1

    e1925f0698267d1d78c21db13e5034274d1622cb

  • SHA256

    8139c166d6dbebac912d37fb5d36a8c78a1ce7918ee228e929d98880638a4a08

  • SHA512

    a138445aa13661d51571a1dc8abd870648a7be29ec16cc7a33fd395f382aa8c6e21ff2b960f1f2d40d7ab3d8edd701c43532dca9715bd649721bf906be207a41

Score
10/10
prometheusdiscoverypersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\2776_1844564368\english_wikipedia.txt

Family

prometheus

Ransom Note
the of and in was is for as on with by he at from his an were are which doc https also or has had first one their its after new who they two her she been other when time during there into school more may years over only year most would world city some where between later three state such then national used made known under many university united while part season team these american than film second born south became states war through being including both before north high however people family early history album area them series against until since district county name work life group music following number company several four called played released career league game government house each based day same won use station club international town located population general college east found age march end september began home public church line june river member system place century band july york january october song august best former british party named held village show local november took service december built another major within along members five single due although small old left final large include building served president received games death february main third set children own order species park law air published road died book men women army often according education central country division english top included development french community among water play side list times near late form original different center power led students german moved court six land council island u.s. record million research art established award street military television given region support western production non political point cup period business title started various election using england role produced become program works field total office class written association radio union level championship director few force created department founded services married though per n't site open act short society version royal present northern worked professional full returned joined story france european currently language social california india days design st. further round australia wrote san project control southern railway board popular continued free battle considered video common position living half playing recorded red post described average records special modern appeared announced areas rock release elected others example term opened similar formed route census current schools originally lake developed race himself forces addition information upon province match event songs result events win eastern track lead teams science human construction minister germany awards available throughout training style body museum australian health seven signed chief eventually appointed sea centre debut tour points media light range character across features families largest indian network less performance players refer europe sold festival usually taken despite designed committee process return official episode institute stage followed performed japanese personal thus arts space low months includes china study middle magazine leading japan groups aircraft featured federal civil rights model coach canadian books remained eight type independent completed capital academy instead kingdom organization countries studies competition sports size above section finished gold involved reported management systems industry directed market fourth movement technology bank ground campaign base lower sent rather added provided coast grand historic valley conference bridge winning approximately films chinese awarded degree russian shows native female replaced municipality square studio medical data african successful mid bay attack previous operations spanish theatre student republic beginning provide ship primary owned writing tournament culture introduced texas related natural parts governor reached ireland units senior decided italian whose higher africa standard income professor placed regional los buildings championships active novel energy generally interest via economic previously stated itself channel below operation leader traditional trade structure limited runs prior regular famous saint navy foreign listed artist catholic airport results parliament collection unit officer goal attended command staff commission lived location plays commercial places foundation significant older medal self scored companies highway activities programs wide musical notable library numerous paris towards individual allowed plant property annual contract whom highest initially required earlier assembly artists rural seat practice defeated ended soviet length spent manager press associated author issues additional characters lord zealand policy engine township noted historical complete financial religious mission contains nine recent represented pennsylvania administration opening secretary lines report executive youth closed theory writer italy angeles appearance feature queen launched legal terms entered issue edition singer greek majority background source anti cultural complex changes recording stadium islands operated particularly basketball month uses port castle mostly names fort selected increased status earth subsequently pacific cover variety certain goals remains upper congress becoming studied irish nature particular loss caused chart dr. forced create era retired material review rate singles referred larger individuals shown provides products speed democratic poland parish olympics cities themselves temple wing genus households serving cost wales stations passed supported view cases forms actor male matches males stars tracks females administrative median effect biography train engineering camp offered chairman houses mainly 19th surface therefore nearly score ancient subject prime seasons claimed experience specific jewish failed overall believed plot troops greater spain consists broadcast heavy increase raised separate campus 1980s appears presented lies composed recently influence fifth nations creek references elections britain double cast meaning earned carried producer latter housing brothers attempt article response border remaining nearby direct ships value workers politician academic label 1970s commander rule fellow residents authority editor transport dutch projects responsible covered territory flight races defense tower emperor albums facilities daily stories assistant managed primarily quality function proposed distribution conditions prize journal code vice newspaper corps highly constructed mayor critical secondary corporation rugby regiment ohio appearances serve allow nation multiple discovered directly scene levels growth elements acquired 1990s officers physical 20th latin host jersey graduated arrived issued literature metal estate vote immediately quickly asian competed extended produce urban 1960s promoted contemporary global formerly appear industrial types opera ministry soldiers commonly mass formation smaller typically drama shortly density senate effects iran polish prominent naval settlement divided basis republican languages distance treatment continue product mile sources footballer format clubs leadership initial offers operating avenue officially columbia grade squadron fleet percent farm leaders agreement likely equipment website mount grew method transferred intended renamed iron asia reserve capacity politics widely activity advanced relations scottish dedicated crew founder episodes lack amount build efforts concept follows ordered leaves positive economy entertainment affairs memorial ability illinois communities color text railroad scientific focus comedy serves exchange environment cars direction organized firm description agency analysis purpose destroyed reception planned revealed infantry architecture growing featuring household candidate removed situated models knowledge solo technical organizations assigned conducted participated largely purchased register gained combined headquarters adopted potential protection scale approach spread independence mountains titled geography applied safety mixed accepted continues captured rail defeat principal recognized lieutenant mentioned semi owner joint liberal actress traffic creation basic notes unique supreme declared simply plants sales massachusetts designated parties jazz compared becomes resources titles concert learning remain teaching versions content alongside revolution sons block premier impact champions districts generation estimated volume image sites account roles sport quarter providing zone yard scoring classes presence performances representatives hosted split taught origin olympic claims critics facility occurred suffered municipal damage defined resulted respectively expanded platform draft opposition expected educational ontario climate reports atlantic surrounding performing reduced ranked allows birth nominated younger newly kong positions theater philadelphia heritage finals disease sixth laws reviews constitution tradition swedish theme fiction rome medicine trains resulting existing deputy environmental labour classical develop fans granted receive alternative begins nuclear fame buried connected identified palace falls letters combat sciences effort villages inspired regions towns conservative chosen animals labor attacks materials yards steel representative orchestra peak entitled officials returning reference northwest imperial convention examples ocean publication painting subsequent frequently religion brigade fully sides acts cemetery relatively oldest suggested succeeded achieved application programme cells votes promotion graduate armed supply flying communist figures literary netherlands korea worldwide citizens 1950s faculty draw stock seats occupied methods unknown articles claim holds authorities audience sweden interview obtained covers settled transfer marked allowing funding challenge southeast unlike crown rise portion transportation sector phase properties edge tropical standards institutions philosophy legislative hills brand fund conflict unable founding refused attempts metres permanent starring applications creating effective aired extensive employed enemy expansion billboard rank battalion multi vehicle fought alliance category perform federation poetry bronze bands entry vehicles bureau maximum billion trees intelligence greatest screen refers commissioned gallery injury confirmed setting treaty adult americans broadcasting supporting pilot mobile writers programming existence squad minnesota copies korean provincial sets defence offices agricultural internal core northeast retirement factory actions prevent communications ending weekly containing functions attempted interior weight bowl recognition incorporated increasing ultimately documentary derived attacked lyrics mexican external churches centuries metropolitan selling opposed personnel mill visited presidential roads pieces norwegian controlled 18th rear influenced wrestling weapons launch composer locations developing circuit specifically studios shared canal wisconsin publishing approved domestic consisted determined comic establishment exhibition southwest fuel electronic cape converted educated melbourne hits wins producing norway slightly occur surname identity represent constituency funds proved links structures athletic birds contest users poet institution display receiving rare contained guns motion piano temperature publications passenger contributed toward cathedral inhabitants architect exist athletics muslim courses abandoned signal successfully disambiguation tennessee dynasty heavily maryland jews representing budget weather missouri introduction faced pair chapel reform height vietnam occurs motor cambridge lands focused sought patients shape invasion chemical importance communication selection regarding homes voivodeship maintained borough failure aged passing agriculture oregon teachers flow philippines trail seventh portuguese resistance reaching negative fashion scheduled downtown universities trained skills scenes views notably typical incident candidates engines decades composition commune chain inc. austria sale values employees chamber regarded winners registered task investment colonial swiss user entirely flag stores closely entrance laid journalist coal equal causes turkish quebec techniques promote junction easily dates kentucky singapore residence violence advance survey humans expressed passes streets distinguished qualified folk establish egypt artillery visual improved actual finishing medium protein switzerland productions operate poverty neighborhood organisation consisting consecutive sections partnership extension reaction factor costs bodies device ethnic racial flat objects chapter improve musicians courts controversy membership merged wars expedition interests arab comics gain describes mining bachelor crisis joining decade 1930s distributed habitat routes arena cycle divisions briefly vocals directors degrees object recordings installed adjacent demand voted causing businesses ruled grounds starred drawn opposite stands formal operates persons counties compete wave israeli ncaa resigned brief greece combination demographics historian contain commonwealth musician collected argued louisiana session cabinet parliamentary electoral loan profit regularly conservation islamic purchase 17th charts residential earliest designs paintings survived moth items goods grey anniversary criticism images discovery observed underground progress additionally participate thousands reduce elementary owners stating iraq resolution capture tank rooms hollywood finance queensland reign maintain iowa landing broad outstanding circle path manufacturing assistance sequence gmina crossing leads universal shaped kings attached medieval ages metro colony affected scholars oklahoma coastal soundtrack painted attend definition meanwhile purposes trophy require marketing popularity cable mathematics mississippi represents scheme appeal distinct factors acid subjects roughly terminal economics senator diocese prix contrast argentina czech wings relief stages duties 16th novels accused whilst equivalent charged measure documents couples request danish defensive guide devices statistics credited tries passengers allied frame puerto peninsula concluded instruments wounded differences associate forests afterwards replace requirements aviation solution offensive ownership inner legislation hungarian contributions actors translated denmark steam depending aspects assumed injured severe admitted determine
URLs

https

http

Signatures

  • Prometheus Ransomware

    Ransomware family mostly targeting manufacturing industry and claims to be affiliated with REvil.

    ransomwareprometheus
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Patch.exe
    "C:\Users\Admin\AppData\Local\Temp\Patch.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3864
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://crackingpatching.com/
      2⤵
      • Adds Run key to start application
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7fff89fa46f8,0x7fff89fa4708,0x7fff89fa4718
        3⤵
          PID:3156
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,15287477923925922518,16453441132531982236,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
          3⤵
            PID:4008
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,15287477923925922518,16453441132531982236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3200
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,15287477923925922518,16453441132531982236,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:8
            3⤵
              PID:4556
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15287477923925922518,16453441132531982236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:1
              3⤵
                PID:1688
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15287477923925922518,16453441132531982236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:1
                3⤵
                  PID:3596
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,15287477923925922518,16453441132531982236,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5168 /prefetch:8
                  3⤵
                    PID:2872
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15287477923925922518,16453441132531982236,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
                    3⤵
                      PID:1180
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15287477923925922518,16453441132531982236,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
                      3⤵
                        PID:4868
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15287477923925922518,16453441132531982236,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
                        3⤵
                          PID:3136
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15287477923925922518,16453441132531982236,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
                          3⤵
                            PID:3128
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15287477923925922518,16453441132531982236,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:1
                            3⤵
                              PID:3472
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15287477923925922518,16453441132531982236,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:1
                              3⤵
                                PID:3328
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,15287477923925922518,16453441132531982236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7296 /prefetch:8
                                3⤵
                                  PID:4628
                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
                                  3⤵
                                  • Drops file in Program Files directory
                                  PID:4676
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff791fd5460,0x7ff791fd5470,0x7ff791fd5480
                                    4⤵
                                      PID:4264
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,15287477923925922518,16453441132531982236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7296 /prefetch:8
                                    3⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:380
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,15287477923925922518,16453441132531982236,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4276 /prefetch:8
                                    3⤵
                                      PID:3040
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,15287477923925922518,16453441132531982236,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3584 /prefetch:8
                                      3⤵
                                        PID:2324
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,15287477923925922518,16453441132531982236,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2956 /prefetch:2
                                        3⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:3772
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,15287477923925922518,16453441132531982236,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4760 /prefetch:8
                                        3⤵
                                          PID:1668
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,15287477923925922518,16453441132531982236,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6032 /prefetch:8
                                          3⤵
                                            PID:4568
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,15287477923925922518,16453441132531982236,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5580 /prefetch:8
                                            3⤵
                                              PID:1924
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,15287477923925922518,16453441132531982236,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7220 /prefetch:8
                                              3⤵
                                                PID:3520
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,15287477923925922518,16453441132531982236,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5320 /prefetch:8
                                                3⤵
                                                  PID:852
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,15287477923925922518,16453441132531982236,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7224 /prefetch:8
                                                  3⤵
                                                    PID:1948
                                              • C:\Windows\System32\CompPkgSrv.exe
                                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                1⤵
                                                  PID:2460
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                  1⤵
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:3756

                                                Network

                                                MITRE ATT&CK Enterprise v6

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Advertising
                                                  Filesize

                                                  24KB

                                                  MD5

                                                  4e9962558e74db5038d8073a5b3431aa

                                                  SHA1

                                                  3cd097d9dd4b16a69efbb0fd1efe862867822146

                                                  SHA256

                                                  6f81212bd841eca89aa6f291818b4ad2582d7cdb4e488adea98261494bdcd279

                                                  SHA512

                                                  fcd76bca998afc517c87de0db6ee54e45aa2263fa7b91653ac3adb34c41f3681fbe19d673ae9b24fdf3d53f5af4e4968e603a1eb557207f8860ac51372026b2e

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Analytics
                                                  Filesize

                                                  4KB

                                                  MD5

                                                  fad197d6ffd32d1268b9e7e8d13ab32a

                                                  SHA1

                                                  b0129887a75965bb2ef56a2c39d3231e5b87265d

                                                  SHA256

                                                  4e446af739e1a06b48a73607e9441bc4aa34ceafd808ff845864408179a4d2c3

                                                  SHA512

                                                  01d9f588bfa315e316ff0ff4a15a0a49144fd77ee89960882cd528d7f7a277b086667cea2357c3ca2bd16a2b3f4aeb7fcaf473501b499101be68acbe1e0126cb

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\CompatExceptions
                                                  Filesize

                                                  660B

                                                  MD5

                                                  900263477e1368869fbf1be99990c878

                                                  SHA1

                                                  e56e199aa4119f3cc4c4d46f96daea89bbf9685a

                                                  SHA256

                                                  7f660d9db521646e9c6510d844b6c6ea26716b620c46f34edaf7ce318a9473e4

                                                  SHA512

                                                  1035b388b4b00c744824d13c5ef48118d88abbb53e9d76896a2d96a2a127a7739c119e781d7d5f0b8d910e10539c0c502c9f937fc2487747c65e7285f4b1e6d2

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Content
                                                  Filesize

                                                  6KB

                                                  MD5

                                                  94c183b842784d0ae69f8aa57c8ac015

                                                  SHA1

                                                  c5b1ebc2b5c140ccbb21cd377ca18f3c5d0b80cd

                                                  SHA256

                                                  aa5c4d50684aa478d5982e509cbf1f8347fbc9cc75cb847d54915c16c3a33d25

                                                  SHA512

                                                  5808ddb81657acf4712fa845c95aacbab32a414ffda3b9d1218637e2d53bd3e0d6b95c872779ead6eaa13b4d2d563494ad5587337958bd17f1e791fad5d822fb

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Cryptomining
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  8c31feb9c3faaa9794aa22ce9f48bfbd

                                                  SHA1

                                                  f5411608a15e803afc97961b310bb21a6a8bd5b6

                                                  SHA256

                                                  6016fd3685046b33c7a2b1e785ac757df20e7c760abe0c27e1b8b0294222421d

                                                  SHA512

                                                  ba4b5886c04ba8f7a7dbb87e96d639783a5969a245de181cf620b8f536e3ac95bbd910cd2f1f6aae6c3cd70fc1ef6209dc10d2b083ec51861b51d83f95811baa

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Entities
                                                  Filesize

                                                  68KB

                                                  MD5

                                                  0d37c9d98f35f2c6524bd9b874ec93ed

                                                  SHA1

                                                  87d2d1149db8a1c2d91bc8d2d6e2827d2d8850f5

                                                  SHA256

                                                  19ce05d2716fae5d0d6e2067a7a624c0fa7f8b02486d9469861fd30cf1c499ac

                                                  SHA512

                                                  68e73804a144cbe7287c2136ab1986c4e2a97c497d5bfd36ef5db0f1fb1b4a28839d63d83019082ce61af9b42853934888ce05d6b28350742776b97fa310a575

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Fingerprinting
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  b51076d21461e00fcbf3dbd2c9e96b2b

                                                  SHA1

                                                  31311536cf570f2f9c88d21f03a935ac6e233231

                                                  SHA256

                                                  21a8d3e85d76761a1aab9dca765efef5dfa08d49db037befd91833e4639dd993

                                                  SHA512

                                                  3e193220ddddc47ecea32a2f777e55faa12c7a8052323455c8d7a89c01048155c77ae009fd0f5bebea89f1fae4a88b6b3ceca4e808064f474ea5b3a9497598cb

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Other
                                                  Filesize

                                                  34B

                                                  MD5

                                                  cd0395742b85e2b669eaec1d5f15b65b

                                                  SHA1

                                                  43c81d1c62fc7ff94f9364639c9a46a0747d122e

                                                  SHA256

                                                  2b4a47b82cbe70e34407c7df126a24007aff8b45d5716db384d27cc1f3b30707

                                                  SHA512

                                                  4df2ce734e2f7bc5f02bb7845ea801b57dcf649565dd94b1b71f578b453ba0a17c61ccee73e7cff8f23cdd6aa37e55be5cb15f4767ff88a9a06de3623604fbf0

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Social
                                                  Filesize

                                                  999B

                                                  MD5

                                                  152b745da17397ed5a2f3059bb157600

                                                  SHA1

                                                  47bf4e575ba1acf47dcc99f1800f753b4cc65ef6

                                                  SHA256

                                                  ef994058a637f7b1b47c31c8670977084d1f86cc21a196920aa87f8ed31e98e8

                                                  SHA512

                                                  4984a8a46eb452b3c62f2c2ca8c9d999de37c39895ad9a9ed91d12a7731b1cd227f335829f7a6927f19cd8bf4dd7d6749fc853461a46fc97853d5b9e23171d31

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Advertising
                                                  Filesize

                                                  459B

                                                  MD5

                                                  d024831cae8599f0edee70275d99e843

                                                  SHA1

                                                  69e08b543802b130da5305cbb0140bda5601079c

                                                  SHA256

                                                  0b75817b9ce2164f52e537c66bbff0fe53024bf9a00fb193efd63fe48f34a978

                                                  SHA512

                                                  ee1096446f6a17bc3fde9aadb418ca4b2db5132cdde1e429300487aaf4d8b9865a3bbc95d3a3198cde137a6395f69c035b74a72f74edc22a490bccc3320b0b03

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Analytics
                                                  Filesize

                                                  50B

                                                  MD5

                                                  4cefbb980962973a354915a49d1b0f4d

                                                  SHA1

                                                  1d20148cab5cdadb85fad6041262584a12c2745d

                                                  SHA256

                                                  66de8db363de02974a1471153112e51f014bb05936ce870c433fd9a85b34455a

                                                  SHA512

                                                  6a088bbc6c40454165ddee3183667d2997dca5fcc8312f69e3c2397e61255e49b5146b24c2c64cd3c8867289e3abfdf1155e47722fdd8276f96d51e8f311d4b0

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Content
                                                  Filesize

                                                  36B

                                                  MD5

                                                  7f077f40c2d1ce8e95faa8fdb23ed8b4

                                                  SHA1

                                                  2c329e3e20ea559974ddcaabc2c7c22de81e7ad2

                                                  SHA256

                                                  bda08f8b53c121bbc03da1f5c870c016b06fa620a2c02375988555dd12889cdf

                                                  SHA512

                                                  c1fb5d40491ae22a155a9bd115c32cbe9dbcba615545af2f1a252475f9d59844763cd7c177f08277d8ef59e873b7d885fda17f2a504d9ec2c181d0f793cb542b

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Cryptomining
                                                  Filesize

                                                  32B

                                                  MD5

                                                  4ec1eda0e8a06238ff5bf88569964d59

                                                  SHA1

                                                  a2e78944fcac34d89385487ccbbfa4d8f078d612

                                                  SHA256

                                                  696e930706b5d391eb8778f73b0627ffc2be7f6c9a3e7659170d9d37fc4a97b5

                                                  SHA512

                                                  c9b1ed7b61f26d94d7f5eded2d42d40f3e4300eee2319fe28e04b25cdb6dd92daf67828bff453bf5fc8d7b6ceb58cab319fc0daac9b0050e27a89efe74d2734e

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Entities
                                                  Filesize

                                                  2KB

                                                  MD5

                                                  ba60431b366f83677a5bf1a2e4601799

                                                  SHA1

                                                  83f828c27de5429e25c38c36ba77e069d5c7b2de

                                                  SHA256

                                                  ab895ef5f75efd49dbb4fcdf7529e50ca622d13433e067bcf8a1f1127a944da3

                                                  SHA512

                                                  aa9ff0374fb3d4bff7ee5a78dd5ace340da4af1a844f453a40b2723a91b32e6e3f4bd736fb3f3cb210b016109660a7b5cc8440901c6bb410e61530286a4e0200

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Fingerprinting
                                                  Filesize

                                                  110B

                                                  MD5

                                                  a004023825237dadc8f934758ff9eaf2

                                                  SHA1

                                                  c981a900b5ce63884635cedfe5ba722416021cb2

                                                  SHA256

                                                  3c4e82aae615a7bed985b4544afecb774b728df1cc9f7561ea25b97482119ef7

                                                  SHA512

                                                  e49667fca51a6497ccae9b881d679b857c025f2945ab93c9a6769b1c0a632329993daefab6eda9ed70a32a75630d7b3d93dda5acda8ff87ffe5f090ca7b35e4f

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Other
                                                  Filesize

                                                  75B

                                                  MD5

                                                  c6c7f3ee1e17acbff6ac22aa89b02e4e

                                                  SHA1

                                                  bdbd0220e54b80b3d2ffbbddadc89bfbb8e64a8b

                                                  SHA256

                                                  a2f9f27d6938a74979d34484bced535412969c2533dc694bfa667fe81d66d7d4

                                                  SHA512

                                                  86ed28ffdd00b4a397a20968792fcd30dd4a891a187a7789c00c88b64689b334a11fa087eb54ccee813c181cf891b43184dde7af9a6f33caed2a71e2c445a7b4

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Social
                                                  Filesize

                                                  35B

                                                  MD5

                                                  976b1cf7e3442f88cd8ba26d3f0965bb

                                                  SHA1

                                                  b75438dc71de4ac761d94a215ddbffadcd1225b0

                                                  SHA256

                                                  decde67630f29fc003cb1f2ccbd7371a05079985a9cce93ec93c4fadd8dc5541

                                                  SHA512

                                                  d0472fed72e1eb0a7747a693a0e654fbe92dd028db3cc42377810d90474dd4099ac981cca333eb52c18e75ed04a1f1f79f3bf5957fe8b16086f1252b3454b8d5

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Staging
                                                  Filesize

                                                  519B

                                                  MD5

                                                  9ca5eb41a53645be63d247ad8a9a7869

                                                  SHA1

                                                  2e98b04b5a2efb04d20bc7fe51b05c4e4841205b

                                                  SHA256

                                                  f67c58a61ddef715b01debc66ddc0e3c365295ac9870328f6b8bdbcb02a6b8c9

                                                  SHA512

                                                  7dd7d295ccce957490f025eef124b22c809f140a96003126b801bbbdd94eb2115ee59e7d16dd1f020b1d6eaaff66853b9de2cbf7092c1692f40dbe21ab346fd8

                                                  Download Submit

                                                • \??\pipe\LOCAL\crashpad_2776_RZFYBIXUCBICUXQF
                                                  MD5

                                                  d41d8cd98f00b204e9800998ecf8427e

                                                  SHA1

                                                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                  SHA256

                                                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                  SHA512

                                                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                  Download Submit

                                                • memory/4008-131-0x00007FFFA8EA0000-0x00007FFFA8EA1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download